From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id WAfWHjDMXGn03C4AWB0awg (envelope-from ) for ; Tue, 06 Jan 2026 03:47:44 -0500 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=ifzozpcs; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=+OV/cYop; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=SfDYC7tl; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=1NEOtJ9W; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 6D1E01E0B6; Tue, 06 Jan 2026 03:47:44 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED autolearn=ham autolearn_force=no version=4.0.1 Received: from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 6220E1E048 for ; Tue, 06 Jan 2026 03:47:43 -0500 (EST) Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id BDE2D4BA2E20 for ; Tue, 6 Jan 2026 08:47:42 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BDE2D4BA2E20 Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=ifzozpcs; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=+OV/cYop; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=SfDYC7tl; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=1NEOtJ9W Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by sourceware.org (Postfix) with ESMTPS id 9A6704BA2E05 for ; Tue, 6 Jan 2026 08:47:04 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9A6704BA2E05 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9A6704BA2E05 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767689224; cv=none; b=E2aYvt5wPgF6Qe7/4njBtTBQESwgAlMI66giu71HItmxEcP6rXflyii5/sa0x39iPkjglvIq1fzYt15jdHMNCYEwwOOinzwIqP8Y0IHLeXC+5Pdp44QQgTR4r6fHXDUK5gZ8A6HW37FzSMaPKA2AH9VkFR50B3eOErnynll+BYo= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767689224; c=relaxed/simple; bh=N8qwzNAk3nrdYEi1xhYWwdSWLFWdtXvaVgvMm+QemL8=; h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature: Message-ID:Date:MIME-Version:Subject:To:From; b=FPry66l2ViobsEkt3x4ROeZ8Fm8YBz1+gHpcMYYk/iwTL1l0/tjDQasVUj6/0hr3etRQOBJ7HJ8z6OZexmrqUPPyXYp8qAZx3Egul0mWOyVTsJ3ErpRIb2RSKnvoWlRrfFjHWspIy7iYUN+a8Sv/RDuYROUMyDoelw0JfWY5Y8E= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9A6704BA2E05 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 4192E5BCC4; Tue, 6 Jan 2026 08:47:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767689223; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uZXFeLtsUiW1wps0ccyp+SXXO+RGAueUugWSiXDEI9Q=; b=ifzozpcsnsXPo2NqsgMgZ8xUMDAibO7dgqQvdx/JbyrgDhuwWtlSkJj45rn+UFokgFkgtF MpKhZFLk6kg6Uq44Iw+qCQ+ov/I0jqTBflreBAro45ZmtZVAYkje9fYnn301kmQSvPvxIO /MunCrAP9fvEgGaN3A+d18UyjHOMOjM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767689223; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uZXFeLtsUiW1wps0ccyp+SXXO+RGAueUugWSiXDEI9Q=; b=+OV/cYopVX2pa693PVnQn7xtDLQJnF6cbHgcFYHesU8bqTDVH6N1gYRRYUfa8XEewBgdeR 72YMmLzmAfl+RuCg== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767689222; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uZXFeLtsUiW1wps0ccyp+SXXO+RGAueUugWSiXDEI9Q=; b=SfDYC7tlUFZXxeVt+FZaArF8LPlNSMv8d/Nb7cppv1wOV0YlhorcTycEKBlcw19O60FF7k JbVFmwbl4XESeNwdYvcRvSFm/mBfexoMrREz1V4gKk00T9rnW73t4sGpfBOPnXWx/AARme lU6tq94XoYnbx9aM4ZNljtNyK3MmOAM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767689222; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uZXFeLtsUiW1wps0ccyp+SXXO+RGAueUugWSiXDEI9Q=; b=1NEOtJ9WAPTGS6m0diSLDG8H5ujG8wkNxhOlIWeIw6QrhkX0VnkDmhpyDBoIoTjdqq36Co TiePl1m1lJicGWBA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2C5743EA63; Tue, 6 Jan 2026 08:47:02 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id adaBCQbMXGlbRQAAD6G6ig (envelope-from ); Tue, 06 Jan 2026 08:47:02 +0000 Message-ID: <7beac4be-7924-48b5-804b-6400efd02834@suse.de> Date: Tue, 6 Jan 2026 09:47:01 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] [gdb] Fix heap-buffer-overflow in args_complete_p To: Andrew Burgess , gdb-patches@sourceware.org References: <20260103145559.2722584-1-tdevries@suse.de> <874iozygr7.fsf@redhat.com> Content-Language: en-US From: Tom de Vries In-Reply-To: <874iozygr7.fsf@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-4.29 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.19)[-0.943]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; URIBL_BLOCKED(0.00)[suse.de:email,suse.de:mid,imap1.dmz-prg2.suse.org:helo,sourceware.org:url]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo, suse.de:email, suse.de:mid, sourceware.org:url] X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org On 1/5/26 8:57 PM, Andrew Burgess wrote: > Tom de Vries writes: > >> PR gdb/33754 reports a heap-buffer-overflow here in args_complete_p: >> ... >> while (*input != '\0') >> ... >> >> Fix this by introducing a lambda function at that safely handles all char >> array accesses. > > Sorry to be a bore, but after reading this commit, and the bug report, > it's still not obvious to me where the overflow actually occurs. > > I totally accept that this code is broken, but as I introduced this bug, > I wanted to learn from this mistake, but this commit doesn't really > explain what mistake is being fixed. > > Do you think you could explain what's actually going wrong here? > Hi Andrew, agreed, it's not spelled out, sorry about that. So, the heap-buffer-overflow happens with: ... (gdb) p args $1 = "\"first arg\" \"\" \"third-arg\" \"'\" \"\\\"\" \" \" \"\" " ... and it's the fact that we don't check for '\0' after skip_spaces that is the problem. I think it should be possible to reproduce the problem with args == " ". So a minimal fix for this problem is: ... diff --git a/gdb/infcmd.c b/gdb/infcmd.c index 1a7daf1461b..fdcd4e4ba96 100644 --- a/gdb/infcmd.c +++ b/gdb/infcmd.c @@ -131,6 +131,8 @@ args_complete_p (const std::string &args) while (*input != '\0') { input = skip_spaces (input); + if (*input == '\0') + break; if (squote) { ... But the strchr problem is also there, so this: ... diff --git a/gdb/infcmd.c b/gdb/infcmd.c index 1a7daf1461b..4bcd523f79b 100644 --- a/gdb/infcmd.c +++ b/gdb/infcmd.c @@ -177,6 +177,8 @@ args_complete_p (const std::string &args) dquote = true; } + if (*input == '\0') + break; ++input; } ... would catch both, I think. Not that I'm suggesting this fix. Thanks, - Tom > Thanks, > Andrew > > > > >> >> Also: >> - factor out char array accesses using new variables c and next_c, and >> - check for end-of-string after skip_spaces. >> >> Tested on x86_64-linux. >> >> Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33754 >> --- >> gdb/infcmd.c | 24 +++++++++++++++++------- >> 1 file changed, 17 insertions(+), 7 deletions(-) >> >> diff --git a/gdb/infcmd.c b/gdb/infcmd.c >> index 875bbe1ee69..ceacfd05683 100644 >> --- a/gdb/infcmd.c >> +++ b/gdb/infcmd.c >> @@ -126,17 +126,27 @@ static bool >> args_complete_p (const std::string &args) >> { >> const char *input = args.c_str (); >> + const char *end = input + args.length (); >> bool squote = false, dquote = false; >> >> - while (*input != '\0') >> + auto at = [&] (const char *s) >> + { >> + return s > end ? '\0' : *s; >> + }; >> + >> + while (at (input) != '\0') >> { >> input = skip_spaces (input); >> + char c = at (input); >> + if (c == '\0') >> + break; >> + char next_c = at (input + 1); >> >> if (squote) >> { >> /* Inside a single quoted argument, look for the closing single >> quote. */ >> - if (*input == '\'') >> + if (c == '\'') >> squote = false; >> } >> else if (dquote) >> @@ -148,10 +158,10 @@ args_complete_p (const std::string &args) >> and we don't skip the entire '\\' then we'll only skip the >> first '\', in which case we might see the second '\' as a '\"' >> sequence, which would be wrong. */ >> - if (*input == '\\' && strchr ("\"\\", *(input + 1)) != nullptr) >> + if (c == '\\' && strchr ("\"\\", next_c) != nullptr) >> ++input; >> /* Otherwise, just look for the closing double quote. */ >> - else if (*input == '"') >> + else if (c == '"') >> dquote = false; >> } >> else >> @@ -162,7 +172,7 @@ args_complete_p (const std::string &args) >> a quoted argument. The '\\' we need to skip so we don't just >> skip the first '\' and then incorrectly consider the second >> '\' are part of a '\"' or '\'' sequence. */ >> - if (*input == '\\' && strchr ("\"\\'", *(input + 1)) != nullptr) >> + if (c == '\\' && strchr ("\"\\'", next_c) != nullptr) >> ++input; >> /* Otherwise, check for the start of a single or double quoted >> argument. Single quotes have no special meaning on Windows >> @@ -170,10 +180,10 @@ args_complete_p (const std::string &args) >> host to determine what is, or isn't a special character, when >> really, this is a function of the target. */ >> #ifndef _WIN32 >> - else if (*input == '\'') >> + else if (c == '\'') >> squote = true; >> #endif >> - else if (*input == '"') >> + else if (c == '"') >> dquote = true; >> } >> >> >> base-commit: 0a153c58a0ab68c6fa349d2ad0bf6a42e043ab23 >> -- >> 2.51.0 >